| 2026-06-15 | launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows Summary
The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.
Impact
If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the launch-editor:
Component: vite | Medium | >= 8.0.0, <= 8.0.15; >= 7.0.0, <= 7.3.4; <= 6.4.2 | 6.4.3, 7.3.5, 8.0.16 | CVE-2026-53632 |
| 2026-06-15 | vite: server.fs.deny bypass on Windows alternate paths Summary
The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.
Impact
Only apps that match the following conditions are affected:
Component: vite | High | >= 8.0.0, <= 8.0.15; >= 7.0.0, <= 7.3.4; <= 6.4.2 | 6.4.3, 7.3.5, 8.0.16 | CVE-2026-53571 |
| 2026-06-03 | launch-editor vulnerable to command injection via the crafted request on Windows Summary
Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.
Impact
If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the launch-editor:
- An attacker can place a file with the malicious filename
- An attacker can call the
launchEditor method with the file argument controlled
- The
launch-editor pa…
Component: vite | High | <= 5.4.8 | 5.4.9 | CVE-2024-52011 |
| 2026-04-06 | Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket Summary
server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server’s WebSocket.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using
--host or server.host config option)
- WebSocket is not disabled by
server.ws: false
Arbitrary files on the server (development ma…
Component: vite | High | >= 8.0.0, <= 8.0.4; >= 7.0.0, <= 7.3.1; >= 6.0.0, <= 6.4.1 | 6.4.2, 7.3.2, 8.0.5 | CVE-2026-39363 |
| 2026-04-06 | Vite Vulnerable to Path Traversal in Optimized Deps .map Handling Summary
Any files ending with .map even out side the project can be returned to the browser.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using
--host or server.host config option)
- have a sensitive content in files ending with
.map and the path is predictable
Details
In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependen…
Component: vite | Medium | >= 8.0.0, <= 8.0.4; >= 7.0.0, <= 7.3.1; <= 6.4.1 | 6.4.2, 7.3.2, 8.0.5 | CVE-2026-39365 |
| 2026-04-06 | Vite: server.fs.deny bypassed with queries Summary
The contents of files that are specified by server.fs.deny can be returned to the browser.
Impact
Only apps that match the following conditions are affected:
Component: vite | High | >= 8.0.0, <= 8.0.4; >= 7.1.0, <= 7.3.1 | 7.3.2, 8.0.5 | CVE-2026-39364 |
| 2025-10-20 | vite allows server.fs.deny bypass via backslash on Windows Summary
Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using —host or
server.host config option)
- running the dev server on Windows
Details
server.fs.deny can contain patterns matching…
Component: vite | Medium | >= 7.1.0, <= 7.1.10; >= 7.0.0, <= 7.0.7; >= 6.0.0, <= 6.4.0; >= 2.9.18, < 3.0.0; >= 3.2.9, < 4.0.0; >= 4.5.3, < 5.0.0; >= 5.2.6, <= 5.4.20 | 5.4.21, 5.4.21, 5.4.21, 5.4.21, 6.4.1, 7.0.8, 7.1.11 | CVE-2025-62522 |
| 2025-09-09 | Vite middleware may serve files starting with the same name with the public directory Summary
Files starting with the same name with the public directory were served bypassing the server.fs settings.
Impact
Only apps that match the following conditions are affected:
###…
Component: vite | Low | >= 7.1.0, <= 7.1.4; >= 7.0.0, <= 7.0.6; >= 6.0.0, <= 6.3.5; <= 5.4.19 | 5.4.20, 6.3.6, 7.0.7, 7.1.5 | CVE-2025-58751 |
| 2025-09-09 | Vite’s server.fs settings were not applied to HTML files Summary
Any HTML files on the machine were served regardless of the server.fs settings.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using —host or server.host config option)
appType: 'spa' (default) or appType: 'mpa' is used
This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be serve…
Component: vite | Low | >= 7.1.0, <= 7.1.4; >= 7.0.0, <= 7.0.6; >= 6.0.0, <= 6.3.5; <= 5.4.19 | 5.4.20, 6.3.6, 7.0.7, 7.1.5 | CVE-2025-58752 |
| 2025-04-30 | Vite’s server.fs.deny bypassed with /. for files under project root Summary
The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using —host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can…
Component: vite | Medium | >= 6.3.0, <= 6.3.3; >= 6.2.0, <= 6.2.6; >= 6.0.0, <= 6.1.5; >= 5.0.0, <= 5.4.18; <= 4.5.13 | 4.5.14, 5.4.19, 6.1.6, 6.2.7, 6.3.4 | CVE-2025-46565 |
| 2025-04-11 | Vite has an server.fs.deny bypass with an invalid request-target Summary
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Impact
Only apps with the following conditions are affected.
- explicitly exposing the Vite dev server to the network (using —host or server.host config option)
- running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)
Details
[HTTP 1.1 spec (RFC 9112) does not allow # in request-target](https://datat…
Component: vite | Medium | >= 6.2.0, < 6.2.6; >= 6.1.0, < 6.1.5; >= 6.0.0, < 6.0.15; >= 5.0.0, < 5.4.18; < 4.5.13 | 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 | CVE-2025-32395 |
| 2025-04-04 | Vite allows server.fs.deny to be bypassed with .svg or relative paths Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using —host or server.host config option) are affected.
Details
.svg
Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init o…
Component: vite | Medium | >= 6.2.0, < 6.2.5; >= 6.1.0, < 6.1.4; >= 6.0.0, < 6.0.14; >= 5.0.0, < 5.4.17; < 4.5.12 | 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 | CVE-2025-31486 |
| 2025-03-31 | Vite has a server.fs.deny bypassed for inline and raw with ?import query Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Details
- base64 encoded content of non-allowed files is exposed using
?inline&import (originally reported as ?import&?inline=1.wasm?init)
- content of non-allowed files is exposed using
?raw?import
/@fs/ isn’t needed to reprod…
Component: vite | Medium | >= 6.2.0, < 6.2.4; >= 6.1.0, < 6.1.3; >= 6.0.0, < 6.0.13; >= 5.0.0, < 5.4.16; < 4.5.11 | 4.5.11, 5.4.16, 6.0.13, 6.1.3, 6.2.4 | CVE-2025-31125 |
| 2025-03-25 | Vite bypasses server.fs.deny when using ?raw?? Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Details
@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such…
Component: vite | Medium | >= 6.2.0, < 6.2.3; >= 6.1.0, < 6.1.2; >= 6.0.0, < 6.0.12; >= 5.0.0, < 5.4.15; < 4.5.10 | 4.5.10, 5.4.15, 6.0.12, 6.1.2, 6.2.3 | CVE-2025-30208 |
| 2025-01-21 | Websites were able to send any requests to the development server and read the response in vite Summary
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
[!WARNING]
This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.
Upgrade Path
Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vu…
Component: vite | Medium | >= 6.0.0, <= 6.0.8; >= 5.0.0, <= 5.4.11; <= 4.5.5 | 4.5.6, 5.4.12, 6.0.9 | CVE-2025-24010 |
| 2024-09-17 | Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS Summary
We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
Details
Backgrounds
DOM Clobber…
Component: vite | Medium | >= 4.0.0, < 4.5.4; >= 5.4.0, < 5.4.6; >= 5.3.0, < 5.3.6; >= 5.2.0, < 5.2.14; < 3.2.11; >= 5.0.0, < 5.1.8 | 3.2.11, 4.5.4, 5.1.8, 5.2.14, 5.3.6, 5.4.6 | CVE-2024-45812 |
| 2024-09-17 | Vite’s server.fs.deny is bypassed when using ?import&raw Summary
The contents of arbitrary files can be returned to the browser.
Details
@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.
PoC
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"
<body>
<h1>403 Restricted</h1>
<p>The requ…
Component: vite | Medium | >= 5.4.0, <= 5.4.5; >= 5.3.0, <= 5.3.5; >= 4.0.0, <= 4.5.3; <= 3.2.10; >= 5.2.0, < 5.2.14; >= 5.0.0, <= 5.1.7 | 3.2.11, 4.5.4, 5.1.8, 5.2.14, 5.3.6, 5.4.6 | CVE-2024-45811 |
| 2024-04-03 | Vite’s server.fs.deny did not deny requests for patterns with directories. Summary
Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.
Impact
Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Patches
Fixed in vit…
Component: vite | Medium | >= 2.7.0, <= 2.9.17; >= 3.0.0, <= 3.2.8; >= 4.0.0, <= 4.5.2; >= 5.0.0, <= 5.0.12; >= 5.1.0, <= 5.1.6; >= 5.2.0, <= 5.2.5 | 2.9.18, 3.2.10, 4.5.3, 5.0.13, 5.1.7, 5.2.6 | CVE-2024-31207 |
| 2024-01-19 | Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem Summary
Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 — with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since picomatch defaults t…
Component: vite | High | >= 2.7.0, <= 2.9.16; >= 3.0.0, <= 3.2.7; >= 4.0.0, <= 4.5.1; >= 5.0.0, <= 5.0.11 | 2.9.17, 3.2.8, 4.5.2, 5.0.12 | CVE-2024-23331 |
| 2023-12-05 | Vite XSS vulnerability in server.transformIndexHtml via URL payload Summary
When Vite’s HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.
Impact
Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must a…
Component: vite | Medium | >= 4.4.0, < 4.4.12; = 4.5.0; >= 5.0.0, < 5.0.5 | 4.4.12, 4.5.1, 5.0.5 | CVE-2023-49293 |
| 2023-06-06 | Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration…
Component: vite | High | < 2.9.16; >= 3.0.2, < 3.2.7; >= 4.0.0, < 4.0.5; >= 4.1.0, < 4.1.5; >= 4.2.0, < 4.2.3; >= 4.3.0, < 4.3.9 | 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, 4.3.9 | CVE-2023-34092 |
| 2022-08-19 | Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim’s service Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim’s service.
Component: vite | High | < 2.9.13; >= 3.0.0-alpha.0, < 3.0.0-beta.4 | 2.9.13, 3.0.0-beta.4 | CVE-2022-35204 |
